Despite Breach Trends - Website Vulnerabilities Decrease

WhiteHat Security has released their 12th Website Security Statistics Report, and indications are that despite the seeming increase in the number of successful attacks, organizations are making good progress in eliminating common website vulnerabilities.

"Despite the plethora of recent breach headlines, websites could in fact be getting more “secure” — that is to say, less vulnerable," the report states.

The report is based on 2011 data from assessments of more than seven-thousand websites representing multiple sectors, and reveals a sharp decrease in the number of detected vulnerabilities on average, continuing a trend measure over several years.

"There is a significant drop in the average number of serious vulnerabilities found per website per year — from 230 identified in 2010 to 79 in 2011. This is much reduced from over a thousand vulnerabilities back in 2007," the report notes.

Of all the vulnerabilities detected in the study, Cross-Site Scripting lead the pack with about fifty percent of websites vulnerable, followed by Information Leakage problems in fourteen percent of sites, and Content Spoofing vulnerabilities in just under ten percent of sites.

SQL Injection remains the most exploited website vulnerability, according to the report, with five percent of websites analyzed exhibiting "at least one SQL Injection vulnerability exposed that was exploitable without first needing to login to the website." On average, fifty-five percent of SQL Injection vulnerabilities identified were remedied in fifty-three days - down from an average of fifty-seven days in 2010.

The sectors who exhibited the fastest mitigation of serious vulnerabilities was led by Energy with an average of four days, followed by Manufacturing with an average of seventeen days and Retail with twenty-seven days.

The sectors who exhibited the slowest mitigation of serious vulnerabilities included Non-Profits with a ninety-four day average, Financial Services at eighty days and Telecommunications at fifty days.

Conversely, the sectors that corrected the lowest percentage of identified vulnerabilities were Energy, Education, and Manufacturing, while Banking, Telecommunications and and Retail led the pack.

The report also discusses several explanations as to why different industry verticals consistently exhibit higher or lower levels of detected vulnerabilities, and the possible influencing factors.

"Website security is greatly influenced by compliance obligations, customer and partner security requirements, community awareness campaigns, and of course attackers making their presence felt. All of these things serve to improve website security," the report states.

The culture of security among different sectors may also have an impact on the level of measure vulnerabilities, as some industries may still feel they are less likely to be targeted by attackers.

"The time for using 'No one would want to attack us' as a security strategy is clearly over, if it was ever true to begin with. Any company doing business online has something worth hacking into," the authors state.

Other key finding in the report include:

Web Application Firewalls could have helped mitigate the risk of at least 71% of all custom Web application vulnerabilities identified.

There was notable improvement across all verticals, but Banking websites possessed the fewest amount of security issues of any industry with an average of 17 serious vulnerabilities identified per website.

Serious vulnerabilities were fixed in an average of 38 days or faster, a vast improvement over the 116 days it took during 2010.

The overall percentage of serious vulnerabilities that were fixed was 63%, up from 53% in 2010, and a marked improvement from 2007 when it was just 35%. A rough 7% average improvement per year over each of the last four years.

The higher severity that a vulnerability has, the higher the likelihood that the vulnerability will reopen. Urgent: 23%, Critical: 22%, High: 15%.

The average number of days a website was exposed to at least one serious vulnerability improved slightly to 231 days in 2011, from 233 days in 2010.

The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.